Sophos Anti-Virus for Windows NT Release Notes ---------------------------------------------- Version 3.17 International, January 1999 NOTICE ------ The software program enclosed with this Notice ("the Software") is a pre-release version. You acknowledge, therefore, that you will use the Software entirely at your own risk. Accordingly, the Software is provided "as is" and in no event will Sophos Plc be liable to you for any loss or damage of any kind (except personal injury or death resulting from Sophos Plc’s negligence) arising from your use of or inability to use the Software, or from faults or defects in the Software whether caused by negligence or otherwise. No warranties, conditions, undertakings or other obligations, whether expressed or implied by common law, trade usage, course of dealing or otherwise, are given or undertaken by Sophos Plc in respect of the Software, all of which are hereby excluded to the fullest extent permitted by law. New in this version ------------------- The virus information in this pre-release version is the same as that in Sophos Anti-Virus Version 3.17. A list of new viruses detected by Version 3.17 can be found in "What's New" on the Release CD, or in the READNEWS.TXT file on the SWEEP for DOS 3.17 Installation Disk. Functional enhancements include: * Multiple language support (see "Additional information"). * A new splash screen. * A new InterCheck driver, compatible with Windows NT 5 (see "Additional information"). * The automatic selection of "all local disks" by default in the drive list. * An independently-resizeable application window for easier configuration. * Ability to exclude specified directories, as well as individual files, in the exclusion list. * Faster loading of the virus library. * An enhanced desktop messaging module (DESKTOP.SMM). * Built-in support for third-party products (e.g. RoboMon, Event Viewer) which may lock elements of the system during updating. * Full support for auto-updating using the Novell IntraNetware Client32 modules. * Full support for the forthcoming release of the Sophos Anti-Virus Administration tool. * Improved file checksuming. Please Note: * NT machines which automatically upgrade from a central installation of Sophos Anti-Virus will need to be restarted if they are changed from an International to a standard installation. Until the restart occurs the InterCheck client will not be active (see "Additional information"). Additional information ---------------------- 1. Multiple language support This pre-release is now internationalised allowing it to support multiple languages. Currently English, French, German, Japanese and Spanish versions are available. SETUP will automatically install the appropriate language support files based on the computer's regional settings. You can check the computer's regional settings from: Start/Settings/Control Panel/Regional Settings If you run SETUP on a supported language platform, the language support files will be installed along with the standard Sophos Anti-Virus For Windows NT components. These support files will be installed to the following sub-folders in the "Sophos SWEEP for NT" program folder: English - always installed. French - \FRA sub-folder German - \DEU sub-folder Japanese - \JPN sub-folder Spanish - \ESP sub-folder If you wish to install additional language support files please use the following procedure: i) Delete setup.exe from the central installation directory ii) Copy all the language sub directories from the CD-ROM into the central installation iii) Run setup in the normal manner from the CD-ROM If you do NOT wish to install the Japanese support files on a Japanese system, use the SETUP command line qualifier "-LANG=ENG" to force only the English files to be copied: a:\SETUP -LANG=ENG 2. InterCheck client A number of enhancements have been incorporated into the InterCheck client. Please note that after upgrading from a previous version of Sophos Anti-Virus for Windows NT the system must be restarted before the new InterCheck driver is activated. You do not need to restart your system immediately after an upgrade. InterCheck will continue to operate correctly. The new features will be activated next time the system is restarted. These new features include: * Support for NFS clients The InterCheck client can now operate with the following NFS network clients: InterDrive NFS (FTP Software) Chameleon NFS (NetManage) Maestro NFS (Hummingbird Communications Ltd) Solstice NFS version 3.1 (Sun Microsystems Inc) * Improved time-out settings InterCheck time-outs have been made adaptive to avoid errors when checking very large files. * Simplified support for Web servers The client now no longer requires Service Pack 3 with Windows NT 4.0 to function correctly with Web and FTP server software. * Simplified support for Novell Application Launcher (NAL) When using NAL, it is no longer necessary to configure InterCheck to exclude the $special.net file. * Direct access to ZIP disks InterCheck no longer reports an error when a non-administrator first attempts to use a ZIP disk which was formatted under DOS or Windows 95. * Enhanced error reporting Additional reporting of configuration errors has been built into the new InterCheck client. 3. Disinfecting files Sophos Anti-Virus for Windows NT supports the automatic disinfection of files to which the administrator does not have write access. This feature is available only for scheduled sweeps of local drives. The feature is enabled automatically if the SWEEP service is running as "LocalSystem". If an alternative account is being used, it must be given the rights "Back up files and directories" and "Restore files and directories". All documents reported as having been disinfected should be reviewed to ensure that the virus made no changes to the content. 4. Administration security An administrator can choose to set the immediate job configuration details which all non-administrators MUST use. This can be done via the administrator-only "Security" option. Using this feature prevents non-administrators from changing the immediate job configuration. Non-administrators will only be able to start and stop immediate jobs and choose which of their own files to sweep. When configuring Administration security, the administrator can control the way in which infected files are quarantined when the Removal mode is set to "Move". To keep the files of individual users separate when they are quarantined, the string %USER% can be used in the quarantine path. This will be replaced with the name of the logged-in user at the time the file is quarantined. For example, if the path in the Action dialogue is set to: \\SERVER\InterChk\Infected\%USER% then quarantined files will be moved into a directory structure such as: \\SERVER\InterChk\Infected\FirstUser\CONCEPT.000 \\SERVER\InterChk\Infected\UserTwo\FORM.000 \\SERVER\InterChk\Infected\UserTwo\MYDOC.000 \\SERVER\InterChk\Infected\ThirdPerson\COOLGAME.000 The string %USER% can also be used in the Report dialogue to place users' report files in separate folders. The administrator-defined configuration details are stored in the HKEY_USERS section of the registry. The key HKEY_USERS\.DEFAULT\ Software\Sophos\SWEEPNT is used if the service is running as "LocalSystem", and the service's own USERS key if running in another account. These configuration details can be deployed to computers on which Sophos Anti-Virus for Windows NT is already running using the tool SWDEPLOY (available in the directory \TOOLS\SWDEPLOY on the Release CD). N.B. When selecting "Scheduled access to network resources", Sophos recommends that you use an account that is dedicated to Sophos Anti-Virus for Windows NT. This ensures that the Sophos Anti- Virus service maintains its own configuration information. 5. Switching between International and Standard version During an unattended auto-upgrade the set up program will not initiate the restart sequence required to re-enable the InterCheck client driver. This will result in the loss of on-access protection until a manual restart is performed. Troubleshooting --------------- The following problems may require the use of the Registry Editor (Regedt32.exe). Microsoft have issued the following warning with respect to the Registry Editor: "Using Registry Editor incorrectly can cause serious, system-wide problems that may require you to reinstall Windows NT to correct them. Microsoft cannot guarantee that any problems resulting from the use of Registry Editor can be solved. Use this tool at your own risk." 1. Errors accessing network shares from remote computers After installing Sophos Anti-Virus for Windows NT you may encounter difficulties accessing network shares from remote computers. You may also receive one of the following error messages: "Not enough server storage is available to process this command." "Not enough memory to complete transaction. Close some applications and retry." Additionally, the Windows NT server may log one or both of the following event messages in the system log: Event ID : 2011 Source : Srv Description : The Server's configuration parameter "IRPStackSize" is too small for the server to use a local device. Please increase the value of this parameter. Event ID : 0 Source : Srv Description : Description for Event ID 0 could not be found. It contains the insertion string \device\LanManServer. This is a restriction imposed by the default NT server configuration. The following registry entry is required to solve the problem. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ Parameters\IrpStackSize Type: REG_DWORD Data: 0x6 You can use REGEDT32 to modify or create this entry in the registry. You will need to restart the system before the change will take effect. If you still experience problems a larger value can be selected. The valid range for this parameter is 0x1 to 0xC (1 to 12). Please see the Microsoft knowledge base article ID Q10075 for further information. 2. Auto-upgrade service To function correctly the auto-upgrade service MUST be installed as the "LocalSystem" account and have "Allow Service to Interact with Desktop" selected. 3. Sweep service application error Occasionally Sophos Anti-Virus may encounter files whose structure can lead to the service appearing to "hang" or clients losing their connections. In these conditions it is possible to fine tune the types of files which SWEEP will check using the following registry settings. To disable the checking of non-template Word documents set: HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\SweepNT\Advanced\NITB Type: REG_DWORD Data: 0x0 To disable the checking of VBA3 documents (e.g. Excel files) set: HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\SweepNT\Advanced\VBA3 Type: REG_DWORD Data: 0x0 To disable the checking of VBA5 documents (Office 97 files) set: HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\SweepNT\Advanced\VBA5 Type: REG_DWORD Data: 0x0 To disable the checking of the Portable Executable files set: HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\SweepNT\Advanced\PEF Type: REG_DWORD Data: 0x0 To disable the automatic decompression of VBA5 compressed streams: HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\SweepNT\Advanced\VB5D Type: REG_DWORD Data: 0x0 You can use REGEDT32 to modify or create these entries in the registry. You will need to restart the service before the changes will take effect. 4. Intercheck logging For InterCheck logging to work correctly the SWEEP for Windows NT Network Service must use an account that is able to see the InterCheck Server share. This may not be the case if the auto-upgrade option was not selected during installation. If InterCheck logging fails to work correctly a suitable account may be selected as follows: * Go to Control Panel->Services. * Select the SWEEP for Windows NT Network Service. * Click the "Startup..." button. * Under "Log on As:", select the field "This Account". * Enter an account in the form DOMAIN\User with access to the relevant InterCheck Server share. * Fill in the password field as appropriate. * Click "OK" to confirm the change. * Stop and then Start the service. 5. Third party applications using SAVI.DLL. If the installed versions of SAVI.DLL and SWDETECT.DLL do not match, third party applications may report that Sophos-Anti Virus failed to load correctly. Sophos recommends that users upgrade both SWDETECT.DLL and SAVI.DLL each month to ensure full protection of their system. Versions of Sophos Anti-Virus before 3.15 require SAVI.DLL version 1.03. After this point users should install version 1.04 of SAVI.DLL. To install SAVI and the Sophos Anti-Virus engine follow the following procedure * Stop the third party application * Copy the Sophos Anti-virus components to the third party directory. * Restart the third party application For example to upgrade the Content Technologies MAILsweeper and WEBsweeper services 1. Stop the Content Techologies MAILsweeper and WEBsweeper services Start/Settings/Control Panel/Services Content Techologies MAILsweeper Stop Start/Settings/Control Panel/Services Content Techologies WEBsweeper Stop 2. Installation of Sweep for NT engine Put Sweep for NT Installation disk into A: drive type Expand A:\SWDETECT.DL_ SWDETECT.DLL type Expand A:\SAVI.DL_ SAVI.DLL Where represents the MIMEsweeper program directory, usually: C:\MSW\PROGRAM. giving for example Expand A:SWDETECT.DL_ C:\MSW\PROGRAM\SWDETECT.DLL Expand A:SAVI.DL_ C:\MSW\PROGRAM\SAVI.DLL 3. Restart the Content Techologies MAILsweeper and WEBsweeper services Start/Settings/Control Panel/Services Content Techologies MAILsweeper Start Start/Settings/Control Panel/Services Content Techologies WEBsweeper Start 6. Messages on the GUI appear in another language. The SWEEP For Windows NT service either runs in the "Local System" account or in an account specified at installation. Messages generated within the service are produced in the locale for that account and displayed on the GUI. If the administrator has set the machine's locale to one language, and the logged on user is running in another, Sophos Anti-Virus reports will be generated in the locale of the service while the user is presented with an interface translated to their language of choice. Compatibility issues -------------------- 1. NT 4.0 service pack 2 Important: Do not use this software with NT 4.0 service pack 2 unless you have installed the Microsoft hot fix KRNL40I.EXE. 2. Banyan VINES support Please note that InterCheck will not check files on remote Banyan VINES drives unless the Banyan VINES network support was started at boot time. 3. PATHWORKS Version 4 server NT clients which use a PATHWORKS 4 server for the central installation directory may repeatedly auto upgrade. This problem only occurs on PATHWORKS 4 and not on the more recent PATHWORKS versions. ---------------- Sophos Plc, The Pentagon, Abingdon, OX14 3YP, England Tel 01235 559933 o Fax 01235 559935 Sophos Plc, 2, Place de la Defense, BP240, 92053 Paris la Defense, France Tel 01 46 92 24 42 o Fax 01 46 92 24 00 Sophos GmbH, Am Hahnenbusch 21, D-55268 Nieder-Olm, Germany Tel 06136 91193 o Fax 06136 911940 Sophos Inc, 18 Commerce Way, Woburn, MA 01801, USA Tel 781 932 0222 o Fax 781 932 0251 Sales email sales@sophos.com Technical support email support@sophos.com Web http://www.sophos.com/